From: Klaus Darilion <[email protected]> > Nice. But I wonder why there is a drop-down of outgoing packets > during an amplification attack. I would expect that outgoing traffic > is constant. Maybe, in this case also legitimate queries are blocked > (false positive).
Why would false positives happen only while there are lots of true positives? This rate limiting scheme is not an automatic IP address or domain name ACL. The only likely false positives are legitimte requests both for the same records as the attack requests and from the same IP as the forged requests. If the reduction indicates false positives, then the bad guys are forging requests that are from real clients and for the same names, but not by themselves enough to the reach rate limit. So I think the reduction could be false positives only if the attack involves a lot of differing client IP addresses and some very popular names. Note also that the graphs don't say whether a reduction in outgoing packets happens during an attack without the rate limiting. The reasonable guess is that somewhere in the path from the real and attacking clients up to and including the server there are bottlenecks that let the attack hurt legitimate traffic, but we don't know where. Maybe the attack blocks legitimate requests in router or firewalls between the server and legitimate clients. From: Phil Regnauld <[email protected]> } That's assuming all other clients are behaving properly in the } first place, could be a non negligible number of malware generating } this background noise. Their existence might be revealed by rate } limitation. Because this rate limiting scheme is not an automatic IP address or name ACL, I don't understand how that might happen. Why would bad guys be continuing forging about 1 qps for the same clients and name as during the real attack? } But yes, it's worth digging. Agreed. However, the obvious test of checking for a reduction in legitimate responses during an attack would be hard (how could you tell?) and unsavory. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
